Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Mark Villinski
@markvillinski
TOP 10 TIPS FOR EDUCATING
EMPLOYEES ABOUT CYBERSECURITY
Why do we have to educate employees about
cybersecurity?
2014 Corporate Threats Survey
http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf?_ga=1.57626858.1152823312.1404311525
• 94% of business’s suffered one cyber attack in the last 12 months
• Nearly 27% of companies lost confidential data as the result of an internal security incident
• Average cost for Accidental Data Leaks – $39K for SMB’s – $884K for Enterprise
QUICK POLL
PERCEPTION VS. REALITY
B2B International and Kaspersky Lab, “IT Security Threats and Data Breaches,” October, 2014.
REALITY TODAY
How bad is it out there?
Malware
1994
One new virus every hour
2006
One new virus every minute
2011
One new virus every second
Or 70.000 samples/day
Kaspersky Lab is currently processing 325,000 unique malware samples EVERY DAY
The Basic Theory for Staying Secure
Simple math for advanced protection… In
vest
men
t in
Se
curi
ty
Chance of getting infected
The chance of getting infected drops exponentially while the cost of an attack increases linearly
Tip #1: Regularly talk to employees about
cybersecurity.
Explain the potential impact a cyberincident may have on company operation
Annual review and signing of a “I have read and understood company IT policies” is not enough!
Any one can be a target
Tip #2: Remember that top management and IT staff
are employees too!
Top managers are often targeted because: They have access to more information IT bends the rules for them The damage/payoff can be much bigger!
IT folks are vulnerable, too Unlimited power over the network!
Tip #2: Remember that top management and IT staff
are employees too!
Tip #3: Explain to the employees that while you make
the best effort to secure company infrastructure, a
system is only as secure as the weakest link
You don’t want them to just comply, you want them to cooperate
You can’t create a policy sophisticated enough to cover all possible vectors of attack
You can’t totally dehumanize humans. Humans have weaknesses and make mistakes.
Tip #4: Have regular focused sessions with
employees to explore different types of cyberattacks
Consider different formats (lunch and learn?)
Make it useful Most of them have PCs at home and relatives who
also need help
Make it relevant and responsive to real-world examples Notice how much more often these topics hit the
nightly news Those topics are big on social networks!
Malware-What is it?
Malware, short for malicious software, is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.
Characteristics:
– Single instance signature to evade anti-virus
– Activates programmatically
– Connects to a Command & Control Center
– Keylogger, Ransomware, Remote Access Tool (RAT), and Man in
Browser
Once a system is owned, it can’t be restored.
• Never click a link in an email • Never open unexpected attachments • Never provide information, no matter how
innocuous it may seem, to unsolicited phone callers, visitors or email requests
• Never agree to an unsolicited remote control session (such as WebEx, GoToMeeting, LogMeIn)
• Your best defense: “Can I call you back?”
Phishing Prevention-The 100% rules!
Phishing Prevention-The 100% rules!
July 2012 – Yahoo
Passwords Hacked
435,000 usernames and
passwords hacked.
Particularly troubling? The
login credentials are in
plaintext, not even encrypted.
TOP TEN PASSWORDS FROM
THE YAHOO HACK
1) 123456 (38%)
2) password (18%)
3) welcome (10%)
4) ninja (8%)
5) abc123 (6%)
6) 123456789 (5%)
7) 12345678 (5%)
8) sunshine (5%)
9) princess = (5%)
10) qwerty = (4%)
Ramsomware
• More than 40% of CryptoLocker victims agreed to pay
• A Dell SecureWorks report estimates that ransomware rakes in $30 million every 100 days
• Expanding victim base means unlimited financial potential
Ramsomware
RSA: Targeted Attack Case Study
▶ On March 17th 2011, RSA announced that it was hacked
▶ During the 2011 Kaspersky Security Analyst Summit, Uri Rivner from RSA talked about how it happened:
▶ Two employees received an e-mail which contained a spreadsheet attachment labeled “2011 Recruitment Plan”.
▶ The e-mail has been marked as SPAM and put into the spam folder
▶ One of the employees opened it…and released a zero-day Adobe Flash vulnerability.
RSA E-mail & Attachment
http://www.f-secure.com/weblog/archives/00002226.html
Phishing at ABC University
How did this happen?
22
• Trickery. A spear-phishing attack.
People were tricked by a believable e-mail message
into giving their passwords to the bad guys
• Spear-phishers and their tactics
Message crafted for ABC University
Sent to a small number of selected people
Strike on weekends & holidays, when you are less protected
• Goals
To collect information that will let them steal money:
Passwords, social security numbers,
bank account or credit card numbers
23
24
25
26
Not Encrypted: no https
Not going to real ABC University login site
27
28
Impact to people and abc university • The University was able to recover a good portion of the money
• Anyone can fall for a clever phishing scam
• The University did replace paychecks
This would be very challenging on a large scale
29
Lessons learned • Understand how to know if you are at the
real University web login, or a clever fake
• Learn how to analyze email messages to detect ones that are malicious
• Find out how to protect yourself and your devices from cyber threats
• Know common scams
Tip #5: Pay special attention to social engineering
A lot of cyberincidents start with a phone conversation with someone who poses as a co-worker and builds his understanding of company internal structure and operations by asking innocent questions
A cybercriminal exploiting social weaknesses almost never looks like one
A Dangerous Weapon of Cybercrime
Piggybacking?
The Importance of Securing Computers/Workstations
+ <L>
Windows: Mac:
• Enable screensaver • Check “Require
password to quit screensaver” check box
Tip #6: Train your employees to recognize an attack
Communicate clear cut step-by-step instructions on what to do if employee believes there’s a cyber incident happening
If you are not trained, you will get lost when the “show” starts
Training should involve things like:
Unplug your machine from the network (physically)
Notify your administrator
Remember that any and every key stroke can be sent to cyber criminals by a key logger
If you can’t find your mobile device – immediately notify your administrator
Emergency Number - if you can’t find your IT emergency number in under 20 seconds, you are doing it wrong/
…and so on
Tip #7: Never disapprove or make fun of an employee
who raises a red flag
…even if it is a false alarm – this will discourage employees from setting off alarm when time of cyber attack come
I mean NEVER
If false alarms come often, improve training approach
Tip #8: In case of an incident give your employees a
heads up
Even if an incident has happened already, improper handling may (significantly) increase impact
Issue an instruction on how to speak to public/press about the incident
Have a plan in place BEFORE anything happens
Get insurance for cyber-incidents
Tip #9: Test knowledge
Regularly
Make it relevant – remember they live digital lives. It matters!
Make it fun. Or rewarding. Or fun and rewarding.
Phish Self-Testing (Too Successful 12/2013)
Phish Self-Testing (Zero Success 5/2014)
Phish Self-Testing eSlap
Are you cyber savvy
https://blog.kaspersky.com/cyber-savvy-quiz/
Tip #10: Listen to feedback
If you force employees to change passwords every week be prepared they will write them down and post them in their work place
If access to something they need for work is too complicated, they will use personal email, USB sticks, fellow employees to bypass the restrictions
If something out of balance, this will trigger unsafe behavior. Listening to feedback is learning the root cause of that
Systems Management & Actionable Patching
HW and SW inventory
Multiple vulnerability databases
VULNERABILITY
SCANNING
Install applications
Update applications
Troubleshoot
REMOTE TOOLS
Track usage
Manage renewals
Manage license compliance
LICENCE MANAGEMENT
Guest policy management
Guest portal
NETWORK ADMISSION
CONTROL (NAC) Automated prioritization
Reboot options
ADVANCED PATCHING
Create images
Store and update
Deploy
SYSTEM PROVISIONING
Whitelisting & Application Control
DEVICE CONTROL
WEB CONTROL
APPLICATION CONTROL
WITH DYNAMIC WHITELISTING
Encryption & Data Protection
Inside the Network Outside the Network
If cybercriminals seize control of the system and penetrate the
corporate network, they may try to exfiltrate sensitive data such as
configuration files, private keys and source code.
However, even if the criminals manage to download something, they will
not be able to read the content of the encrypted files.
Why Kaspersky?
OUR LEADERSHIP IS PROVEN BY INDEPENDENT TESTS
49